Intrusion Suspected, Advice Sought

Dan Margolis dmargoli+freebsd at af0.net
Wed Jan 12 21:08:59 PST 2005 

On Thu, Jan 06, 2005 at 08:29:20PM -0800, JohnG wrote:
> I've worked on this machine for about 17 
> months, and I know its rhythms and what should be what. 

It doesn't sound like you have a lot of evidence for a deliberate
intrusion versus a system anomoly, but let's entertain the notion for a
bit. 

- The most likely attack vectors are not remote active attacks--you
  are, after all, firewalled and not running any listening services,
  right?--but rather a variety of passive attacks: trojans, Web-based
  attacks, etc. As in the case of the telnet://, disk://, help://, etc
  URI handler vulnerabilities, it is possible for a malicious Website to
  execute arbitrary code when you visit it

- If an attacker wanted to preserve access, he'd almost certainly
  install a backdoor. There are certainly ways to install a network
  backdoor on a machine that doesn't have remote access facilities
  without adding an obvious listening service, but since you're behind a
  firewall, it's hard to imagine this happening, especially for a
  relatively low-value target as your desktop PC (unless you're not
  telling us something about your day job--are you a narc or something?
  ;)

In other words, the likely scenario here is a passive attack as the
initial intrusion, with a very sneaky backdoor as the follow up. It's
hard to imagine this combination; why go to such trouble for a target
likely to be %5 of your hits (unless you're a Mac site or something), a
large chunk of which wont be vulnerable anyway? It just strikes me as
improbable. 

Anyway, to regain confidence, your best bet would indeed be a reinstall,
but your primary concern (barring buffer overflows via specially crafted
documents, etc) should be executables. If you do an archive reinstall
and replace all your third party apps, you'll replace all those without
losing your documents, and you're most likely pretty safe. 

Another proactive approach is to use something like Samhain, AIDE, or
Tripwire--a Host-based Intrusion Detection System. They should work as
well on OSX as they do on FreeBSD. 

Sorry for the off topic thread, folks. But I was hoping I could be of a
little bit of service. 

-- 
Dan

More information about the freebsd-security mailing list